Permissions and roles

This page describes permissions used in Binary Authorization.

Required permissions

The following table lists the permissions that the caller must have to call each API method:

Method Required Permission(s)
getPolicy binaryauthorization.policy.get on the requested policy.
updatePolicy binaryauthorization.policy.update on the policy to update.
policy.getIamPolicy binaryauthorization.policy.getIamPolicy on the requested policy.
policy.setIamPolicy binaryauthorization.policy.setIamPolicy on the requested policy.
policy.testIamPermissions None.
attestors.list binaryauthorization.attestors.list on the containing Cloud project.
attestors.get binaryauthorization.attestors.get on the requested attestor.
attestors.create binaryauthorization.attestors.create on the containing Cloud project.
attestors.delete binaryauthorization.attestors.delete on the attestor to delete.
attestors.update binaryauthorization.attestors.update on the attestor to update.
attestors.getIamPolicy binaryauthorization.attestors.getIamPolicy on the requested attestor.
attestors.setIamPolicy binaryauthorization.attestors.setIamPolicy on the requested attestor.
attestors.testIamPermissions None.
continuousValidationConfig.get binaryauthorization.continuousValidationConfig.get on the requested continuousValidationConfig.
continuousValidationConfig.update binaryauthorization.continuousValidationConfig.update on the requested continuousValidationConfig.
continuousValidationConfig.getIamPolicy binaryauthorization.continuousValidationConfig.getIamPolicy on the requested continuousValidationConfig.
continuousValidationConfig.setIamPolicy binaryauthorization.continuousValidationConfig.setIamPolicy on the requested continuousValidationConfig.
continuousValidationConfig.testIamPermissions None.

Project types

The following table lists roles and permissions for different types of projects:

Project type Description
Deployer A project that manages the Google Kubernetes Engine (GKE) clusters where your images are deployed, as well as the Binary Authorization policy that governs deployment.
Image A project that contains the image(s) to be verified.
Attestor A project that stores attestor definitions. You can also use the note project for this purpose.
Note A project that stores attestor notes for a particular attestor definition. You can also use the attestor project for this purpose.
Attestation A project that stores attestations for a particular attestor. You can also use the attestor project or the image project for this purpose.

Predefined roles

The following table lists the predefined Binary Authorization IAM roles with corresponding permissions each role includes. Note that every permission is applicable to a particular resource type.

Basic roles of Owner, Editor and Viewer are available for use on Binary Authorization resources, in addition to predefined type-specific roles of Admin, Editor and Viewer for Binary Authorization attestors and policies.

Roles for the policy resource

Role Includes permission(s):
roles/binaryauthorization.policyViewer
binaryauthorization.policy.get
binaryauthorization.continuousValidationConfig.get
roles/binaryauthorization.policyEditor
All of the roles/binaryauthorization.policyViewer permissions, as well as:
binaryauthorization.policy.update
binaryauthorization.continuousValidationConfig.update
roles/binaryauthorization.policyAdmin
All of the roles/binaryauthorization.policyEditor permissions, as well as:
binaryauthorization.policy.getIamPolicy
binaryauthorization.policy.setIamPolicy
binaryauthorization.continuousValidationConfig.getIamPolicy
binaryauthorization.continuousValidationConfig.setIamPolicy

Roles for the attestor resource

Role Includes permission(s):
roles/binaryauthorization.attestorsViewer
binaryauthorization.attestors.get
binaryauthorization.attestors.list
roles/binaryauthorization.attestorsVerifier
All of the roles/binaryauthorization.attestorsViewer permissions, as well as:
binaryauthorization.attestors.verifyImageAttested
roles/binaryauthorization.attestorsAdmin
All of the roles/binaryauthorization.attestorsViewer permissions, as well as:
binaryauthorization.attestors.getIamPolicy
binaryauthorization.attestors.setIamPolicy

Note that the roles roles/owner, roles/editor, and roles/viewer include permissions for other Google Cloud services as well.

Checking permissions

binaryauthorization.policy.testIamPermissions and binaryauthorization.attestors.testIamPermissions can be run by any identity.